How I exploited Intel's Active Management Technology in China
How I exploited Intel’s Active Management Technology in China
In previous blog, I talked about how I managed to exploit the Russian guy’s Orange Pi 5 and persisted it. In this blog, I want to explain how I exploited Intel® Active Management Technology (AMT) through that board.
Some context
The thing is that after I exploited that Orange Pi 5 and got a shell, I found /[bott.py](http://bott.py) file. This was explained in a previous blog. That file got me interested to see who else had access to this machine. So I analyzed auth.log.* files. It turned out that massive Chinese threat actor team was using this device. I checked the IP address on VT (Virus Total) AND on SR (Soc Radar), and it turned out that the IP was very, very aggressive. I started fighting against those Chinese threat actors and managed to completely remove them from this device. They even had root shell via SSH.
The most interesting part of that was the method of authentication they used. Well, I exploited this device from the ADB shell and then stole the SSH RSA key in order to access the SSH port as root too. Unlike me, those actors used the standard password authentication method on SSH. That means they know the password of root user. This is very weird. I haven’t tried brute-forcing the hash YET, but I don’t think that the password is going to be something easy. This Russian guy is not a cybersecurity expert, but he knows some stuff. He managed to set up a media streaming service on Orange Pi 5. He also managed to create a very nice welcome message on SSH authentication, so there is something else going on that I don’t know.
Like, I removed them from that machine and blocked them with iptables BUT I think I should record traffic and check auth.log.* files for some time in order to see the real source.
What happened?
After I found all IP addresses of those Chinese actors, I started doing port scanning from Orange Pi 5 (I don’t use my IP or my C2 for things like that because I don’t want them to see that it’s me that stole the machine from them, not the owner), and I discovered two very interesting TCP ports:
- 16992/tcp
- 16993/tcp
These ports belong to Intel AMT. What is Intel AMT? Well, I’ll use Google Gemini’s explanation:
Intel AMT (Active Management Technology) is a hardware-based feature for remote management of business computers. It allows IT administrators to monitor, update, and repair systems remotely, even when the computer is powered off or the operating system is unresponsive. This is achieved through a separate microprocessor and firmware subsystem on the motherboard, which creates an independent network connection.
I think you get the point. I started looking for the vulnerabilities (because why not?) and found a VERY interesting CVE. According to this, it’s possible to completely bypass authentication and access the machine: CVE‑2017‑5689.
CVE‑2017‑5689
Now let’s talk about this vulnerability and how it works. I read several documents about this exploit, and I think I know enough to talk about what really happens here. When it comes to authentication, there is a function called NETSTACK_CODE_20431E74. This is responsible for user authentication. At first, everything seems to be fine, but the problem starts at the end of the function. At the very end of the function, we have this:
1 | |
The problem is inside strncmp function’s parameters. As we all know, this function is used for comparing two strings. In this case, the programmer has to tell it the length of those strings.
This is how strncmp function works: It takes two const char* values and one size_t number. This number tells the function how many characters should be compared. When the function starts iterating over those strings, it’ll continue unless the iteration amount becomes equal to the third parameter (provided number) or it finds the \0 character in either string.
The bug here is that the programmer doesn’t give the computed response’s size. It’s giving the number that can be abused by the user. Note that in the snippet shown above, response variable can be completely manipulated by the user. On the other hand, the computed_response variable contains verified data (verified by the programmer).
Also note that if the number is equal to 0, the function will return 0. If the function returns 0, then this is going to happen:
1 | |
And please understand that this is equal to that:
1 | |
So, if the size of the response is 0, we will bypass the authentication completely, because it will never do goto error part!
How did I do that?
First of all, I went to the web UI:
1 | |
Then, I clicked on Log on... button. It’s possible to write anything in username and password fields because they just don’t matter for us. Before I sent that POST request, I modified it from this:
1 | |
To this:
1 | |
As you can see, response parameter was set to "". This will make its length 0, so it’s possible to bypass authentication completely.
How did I punish attackers? I went to remote control and chose Turn power off option, then just pressed the button that said Send Command. That’s all; their gateway is dead now.
Summary
I always say, you need to hack for fun, not to look cool. Many people buy $5,000 laptops and install Kali Linux on them and set terminal colors to green on black. That’s not me. I have Windows 11 Pro on my machine, and I just use other people’s devices to attack my enemies. The question is, who is cooler among us?